What New RIAs Need to Consider with Electronic Communications

Defining a business record
Take an inventory of how you communicate internally, externally, and particularly with clients. This goes well beyond email into collaborations tools, social media, text messaging, and other messaging applications. Define what would be considered a business record under regulations. Consider how you will retain, review, and supervise those communications over the long haul.

Develop robust policies and procedures
Regulators are increasingly looking for customized, thoughtful business decisions in policies and procedures, so it's crucial to make sure that you're rightsizing your supervision and gaining crucial insights into your business as you're going through your review. RIAs should not only include what communications channels are permitted for business communications but include what is prohibited and how they'll supervise off-channel business communications.

Documentation of your supervision review is also crucial to electronic recordkeeping. Additionally, think through how you'll handle violations and ensure that policies and procedures reflect this. Once your policies and procedures are defined, think about customizing lexicons and reviews for different types of business communications you're engaged with. For example, consider using contextual phrases instead of single-word lexicons to identify risk and set up red flags for off-channel communications. This helps ensure that your business communications are supervised effectively.

Ongoing Evaluations
Features within those permitted channels are changing rapidly. Another best practice we're seeing is maintaining ongoing evaluation within those permitted channels. Is there a new whiteboard that's popped up in your communication channel? Is there a new feature that you must figure out? Can I monitor this? Can I turn it off if I'm going to prohibit it?

When it comes to regulatory obligations, it's important to know whether you're covered or exposed and what communication channels need to be archived to be compliant. It's also crucial to capture everything and let people know if some channels — or features within channels — are off-limits. If some channels cannot be archived, it's best to find out early in the process. There may be prerequisites, such as licenses or requirements from InfoSec teams, that need to be considered before choosing a compliance vendor.

Historical data should also be considered, mainly the cost-benefit analysis and what needs to be archived. Firms should also identify who is required to be archived and who needs to be archived in addition to them.

Define your goals and outcomes
Defining goals and outcomes is an important best practice when it comes to electronic communication for RIAs. Defining your goals helps you set measurable objectives, track progress and make needed adjustments along the way.

To get started, figure out why you need to archive electronic communications. Beyond regulatory requirements, there are other reasons, such as storing data longer for internal processes and policies. By defining the archiving goals, you can ensure that you're meeting compliance obligations and making the most of your investment in archiving solutions.

Once you have identified your goals, it's important to communicate them to your compliance archiver to ensure they are on board and delivering exactly what you need. This can help avoid miscommunications that could lead to non-compliance. It's also essential to ensure that your business partners understand the outcomes that you need, so they can help you achieve success.

Audit readiness
A well-designed supervision program should incorporate a centralized platform for efficient message alerting, documentation, reporting, and other compliance-related tasks, ensuring seamless accessibility and tracking in the event of an audit or regulatory request.

Firms are recommended to engage in periodic checks and balances for when the SEC visits, but also on an ongoing basis. This includes monthly, quarterly, or other regular assessments to determine whether you are meeting your targets and adhering to the requirements of your WSPs.

You should also review each user or channel to determine if you're under-reviewing or over-reviewing any area. It's essential to regularly evaluate policy and lexicon performance, as policies tend to drift over time. This review should include an assessment of your highest hit rate policies. It's vital to consider whether changes to communication channels have occurred over the last year — such as WhatsApp's rapid growth in the industry — and whether you have adjusted your policies accordingly.